Preparing for the cyber battlespace.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K.

Christopher Cleary

Hey everybody. Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites and and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. NATO hosts the world's largest cyber defense exercise. The DOJ charges a dozen people in a racketeering conspiracy involving the theft of over $230 million in cryptocurrency. Japan has enacted a new active cyber defense law. Lawmakers pushed to reauthorize the Cybersecurity Information Sharing Act. Two critical Avanti endpoint Manager. Mobile vulnerabilities are under active exploitation. Hackers use a new fileless technique to deploy Remcosrat. The NSA's Director of Cybersecurity hangs up their hat. Our guest is Chris Cleary, VP of ManTech's global cyber practice, discussing the cyber battlespace of the future. And Coinbase flips the script on an extortion Attempt. It's Friday, May 16, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Happy Friday. It is great to have you with us. Earlier this week, the NATO Cooperative Cyber Defense center of Excellence hosted locked shields 2025, the world's largest cyber defense exercise in Tallinn, Estonia. Around 4,000 experts from 41 countries participated remotely simulating the defense of over 8,000 systems against thousands of cyber attacks. The event, which began in 2010 with just four nations, now features advanced challenges including AI driven narratives and quantum computing scenarios. Teams also tackled legal, strategic and disinformation challenges. While Germany, Singapore, Poland, France and Italy Slovenia, US teams scored highest. Organizers stressed scores don't reflect overall national readiness the exercise, planned by 450 experts and 25 industry partners, highlights growing global focus on cyber resilience. Looking ahead, 2026 will expand cloud infrastructure and introduce critical special systems to further bolster national defense capabilities. Twelve people have been charged by the DOJ in a racketeering conspiracy involving the theft of over $230 million in cryptocurrency. They allegedly used spoofed phone calls and social engineering to breach victim accounts, reset two FA and access private keys. A major theft involved 4,100 Bitcoin stolen from a victim in Washington, D.C. in August of last year. The group used crypto mixers, exchanges, VPNs and peel chains to launder funds into currencies like Monero. The money funded extravagant lifestyles, private jets, exotic cars, $500,000 nightclub tabs and other luxury goods. Two suspects were arrested earlier. The scheme involved roles ranging from hackers to money launderers. Despite laundering efforts, investigators linked the stolen funds back to the group with help from crypto sleuth Zach XBT and the FBI, Japan has enacted a new active cyber defense law, allowing preemptive cyber operations to disrupt threats before they cause harm. This marks a shift from Japan's traditionally defensive stance and aligns its cyber policy more closely with Western powers. The law authorizes law enforcement to neutralize hostile servers and grants the self defense forces authority over complex attacks. It also permits monitoring of foreign Internet traffic entering or transiting Japan. With oversight measures in place, the move follows a surge in state sponsored and financially driven cyberattacks in the U.S. lawmakers from both parties are pushing to reauthorize the Cybersecurity Information Sharing act, confusingly named CISA, before it expires on September 30. The law is seen as vital for enabling threat intelligence sharing between the government and private sector, bolstered by liability and privacy protections. Despite strong support from DHS Secretary Kristi Noem, reauthorization faces a tight deadline and unclear leadership support. Privacy concerns remain the biggest hurdle, though a recent DHS report found no violations under the law. Lawmakers are calling for a clean reauthorization with a possible update later. Subcommittee members also pushed to expand security clearance access to more technical professionals, arguing that current restrictions limit response effectiveness. The law has enabled the sharing of critical cyber threat data and is considered key to national Cyber Defense. Meanwhile, 17 Republican lawmakers, led by Senator Tom Cotton, urged the Trump administration to ban U.S. sales of TP Link routers, citing national security concerns. They allege the Chinese company has ties to the ccp, uses predatory pricing and poses a surveillance risk. TP Link denies these claims, calling them baseless and politically motivated. Lawmakers referenced Executive Order 13873 to justify the band, signed by President Donald Trump in May 2019. It grants the US Secretary of Commerce the authority to block transactions involving information and communications technology or services linked to foreign adversaries if they pose an unacceptable risk to national security. TP Link, which has a US Office in California, insists it isn't state sponsored and has not been contacted by US Regulators. Two critical vulnerabilities in Ivanti Endpoint Manager Mobile are under active exploitation, putting organizations at risk of unauthenticated remote code execution. The flaws affect all on premises versions up to 12.5 and stem from open source library issues, not Ivanti's core code. When chained, they let attackers bypass authentication and inject malicious Java code via improperly validated API input. The vulnerabilities allow attackers to install malware, access data, or disable device management. Ivanti and global cybersecurity agencies urge immediate patching to fixed versions if updating isn't possible. Temporary mitigations and close monitoring are essential. Unpatched systems are at high risk. As proof of concept, code circulates Publicly, hackers are using a new fileless technique to deploy Remcos RAT malware through a PowerShell based loader, bypassing Windows Defender. The attack begins with a malicious zip file containing a spoofed LNK shortcut. When opened, it triggers an obfuscated script that alters registry settings for persistence and injects multiple payloads, including REMCOS version 6 Pro. This updated version adds idle time tracking and infected host management. Researchers stress monitoring for LNK files, PowerShell misuse and registry changes to detect and prevent such threats. Dave Luber, the National Security Agency's director of cybersecurity, will retire at the end of this month after 38 years of distinguished service. Luber's career, which began as a high school work study participant, reflects deep commitment and steady leadership across decades of change. Rising through roles including executive director of U.S. cyber Command and and director of NSA Colorado, Luber brought a calm, collaborative approach to cybersecurity at a time of global digital unrest. Colleagues praise his efforts to improve intelligence sharing and strengthen public private partnerships amid escalating threats like China's Volt Typhoon campaign. Former NSA Deputy Director George Barnes called him competent, caring, communicative and an all around great leader, adding that Luber's presence will be sorely missed. His legacy, rooted in service and strategy, will continue shaping national cybersecurity for years to come. Coming up after the break, my conversation with Chris Cleary, VP of ManTech's Global Cyber Practice. We're discussing the cyber battle space of the future and Coinbase flips the script on an extortion attempt. Stay with us. And now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com foreign let's be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing IT and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times and the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off vanta@vanta.com cyber that's v a n t a dot com Christopher Cleary is VP of ManTech's Global Cyber Practice. And in today's sponsored Industry Voices discussion we consider the cyber battlespace of the future. What are some of the biggest cyber threats that you see facing the US today?

Dave Bittner

If you would have asked me that question 20 years ago, I might have said based on the things that I'm seeing, this is what I'm concerned about. The uniqueness of today is everybody sees them. This is no longer an academic exercise. This is not a philosophical conversation of what could happen or what might happen if a sophisticated adversary started looking at our, let's say our critical infrastructure. Vault Typhoon and Salt Typhoon have been eye opening experiences. This is something that we no longer have to confirm or deny they're doing it for us. They're demonstrating the capabilities to do these things. And I think what is more and more interesting, when you start getting to some of the philosophical military philosophy of, let's say, the Chinese military organization, the targeting of our critical infrastructure is a key first indicator, first movement advantage of them. So this is not them being in our infrastructure because it's an interesting intelligence problem they're trying to solve. This is pre positioning to degrade certain functionality of what we do over here. Prior to, you know, let's say, you know, a move on Taiwan. But we all see it now. We're all witnessing it. My concern is we're not moving fast enough.

Christopher Cleary

Why do you say that? What are the shortcomings here?

Dave Bittner

Well, it is clear what let's say in this instance China is doing again, Vault and Salt Typhoon. So there's no questioning the capabilities of certain adversaries to do certain things in our infrastructure. There's also no shortage of companies that have come up with technologies to solve this problem. There's plenty of those out there. The question that I've always had is how have those two things still not seemed to come together?

Christopher Cleary

So are we waiting for the problem? I hate to say, you know, that old chestnut of cyber 9 11, but is that what it's going to take?

Dave Bittner

That is the thing I'm struggling with. So the cyber 911 is something we talk a lot of. I don't know if we're actually going to see that in the way that we think we're going to see it, because we've seen other things that I would argue culminate to that. Solar winds, Colonial Pipeline, the North Korean attack on Sony, there's several, again, Salt and Vault Typhoon that have happened just recently. Now, the problem is, with the exception of what we saw at Sony, those other things I would argue are using the word attack incorrectly. I'm a classically trained military officer, enlisted in the Navy, went to the Naval Academy, went to the Naval War College. When the military uses the word attack, it has a very, very specific definition. Definitionally, it's something that is with the intent to injure or kill personnel or damage or destroy equipment. That is an attack. Everything shy of that can be stuff that we're not happy about, but it doesn't quantify to the category of an attack. When we call every cyber incident an attack, then the ones that are really, really bad are called an attack, and the ones that are not so bad are called an attack. And they all begin to blend together and they all Begin to lose meaning. Because I would argue if we save the word attack for things that met a very specific definition, it would then call into question how we are going to respond to these things. So you doing a firewall scan, an event, somebody might call that an attack? Well, I would disagree. That wasn't done with the intent to damage or destroy equipment. Even if you steal something, well, that's a criminal activity. It might even be associated with espionage. But was it an attack? I would say no. Now Sony, on the other hand, the North Koreans intentionally had the intentions to damage and destroy equipment that was arguably a U.S. company or some affiliates in the U.S. i know it's owned by parent in Japan, but the point is it was done with the intent to damage or destroy information. To me that's an attack. By its definition, it's an attack and we should have had a way to respond to that and that we miss that opportunity in my opinion, to respond in a way that we could have. The Department of Defense needs information technology to support those missions. Yes, we need computers to send email and we need command and control systems to push data. But now this is also a domain in which we're going to conduct warfare. They are looking for means and methods to deliver effects in the domain that are not necessarily kinetic in nature. What makes this space really interesting in the near term, almost every major weapons system that we're acquiring right now is over budget, behind schedule and suffers from major supply chain and workforce shortages. The ability to move over to the non kinetic space. And when I say cyber, I'm really talking about electronic warfare, information operations, space, AI, machine learning. All of that is sort of, I'm just using cyber as sort of the blanket term which is referencing all things fundamentally non kinetic which are relatively inexpensive to acquire compared to let's say a Ford class aircraft carrier, relatively quick to market and relatively unconstrained by range. And I think when you look at companies like Mantech that are trying to push this narrative, it's really about, hey, the way that we see warfare today really lives in the world of the kinetic mind. Drones have been introduced into the space autonomous systems, systems that are cheaper, attritable, that is we don't care if we lose them and easy to sort of maintain. That's the drone world. Well outside of that, the next one is well, leveraging non kinetic effects to go after command and control systems and targeting systems and satellite systems and infrastructure that moves trains around or moves water around or keeps electricity flowing. All of those are target sets and all of those can be engaged theoretically through the non kinetic spectrum at a much reduced cost.

Christopher Cleary

It's my perception that from the government's point of view there is an intentionality in not drawing bright lines when it comes to cyber. And when you combine that with the private industry's desire to sell cyber to businesses and to the government, so it's in their best interest to make this seem as scary as possible, I think you get an interesting tension there.

Dave Bittner

So what you're sort of hinting at is another really hotly debated topic with inside the cyber community. Should we have a Cyber Force? Should CyberCom and NSA be separated? I have my opinions. A lot of them are predicated around things like force generation. Cybercom can have enhanced budget control, but cybercom can't force the Navy to produce more cyber war for engineers. So that, that is one of the problems. That would be one of my arguments for a cyber service, but I'm only like 51% in favor of that. And it's all around force generation. I know all the other problems that would be caused by a cyber service. But to get back to the other point of your question, what's interesting about that is I had a general that I was, I'm very, very fond of when we were having a conversation very similar like this and I was, you know, advocating for offensive cyber. And you know, he's bringing to the attention the vulnerabilities that we have. And he says, Chris, when you're covered in gasoline, you're, you don't wanna have a match fight. And I said, okay, I get that, but you're saying I am covered in gasoline. If I don't have a match, they won't have a match. So they're certainly gonna throw a match at me because I'm covered in gasoline. So the point is our vulnerabilities that we have in all of our systems I think are one of the reasons why we didn't necessarily wanna poke the bear. Right? I don't wanna necessarily have a cyber on cyber fight because maybe I have much more to lose because our adversaries are for the most part unconstrained in the way they would think about targeting us, whether population or infrastructure or critical infrastructure. And we are more constrained where we would only want to leverage, let's say cyber capabilities to engage, let's say military war fighting capacity of our adversaries. I think that's one of the things. And then you get into this idea of the difference between tools and weapons. Google and Microsoft are never going to get into the cyber weapons game. But they certainly provide an environment that is an attractive target to our adversaries. The Department of Defense runs on Windows. I mean, that's just a fact. And there's some weapons systems that run on Windows. Just a fact, commercially provided. And our adversaries know that. And they work on means and methods to figure out how to deliver effects against that environment. For instance, infrastructure's a really good topic to talk about because, you know, if I find an adversary in my water treatment plant, there's nothing there that's inherently an intelligence value to them. You know, there's no piece of equipment in that plant that they couldn't go out and buy commercially. Hell, you could probably ask the company that made that plant to come into your country and build the exact same thing there.

Christopher Cleary

Right.

Dave Bittner

So there's really no, you know, all that stuff's publicly available.

Christopher Cleary

Yeah.

Dave Bittner

So the only reason you're there is potentially want to impact the operations of that water treatment plant at a time and place of your choosing. Now, there are some cyber norms that were put out by, you know, there's a group in Estonia that put cyber norms and infrastructure is one of these things. They would consider a cyber norm like thou shall not engage critical infrastructure of another country because of the impact it would have to the civilian population. But when you really become sort of a student of the art of warfare or the laws of armed conflict. Well, if I have a bridge, and that bridge supports commerce, but for two towns on either side, it's not a military target until there's a tank on it. If a tank is crossing that bridge, it's a legitimate military target for those reasons. And I think what you're saying is there's a lot of industry in the United States that is not only of interest to our adversaries, to maybe gain some inherent intelligence value from it. Sure. Steal intellectual property, all that other stuff. But then there's a lot of things that are here that are legitimate military targets because of the way those things support military activities. Baltimore Gas and Electric is a legitimate military target because it provides something like 80% of the electricity to the National Security Agency, which is a military target. Right. So the things supporting it, the second and third order things, are in themselves defined as legitimate military targets. Now, if Baltimore Gas and Electric did not support electricity to a military war fighting capacity, then you'd say, well, no, that's not in bounds. You just made a lot of people unhappy. You could argue a lot of the things the Soviets are targeting in Ukraine are just to make the population over there. Miserable. I'm bombing a power plant because I want the power to go off in a city. And that power doesn't necessarily support military activity.

Christopher Cleary

Or a hospital.

Dave Bittner

Or a hospital. Right. Those are out of bounds. And now the real question comes in is how do these companies really protect themselves? Because there's only so much I would expect a company to do. If you find yourselves in the crosshairs of a well resourced, dedicated, sophisticated adversary like China, I wouldn't expect Baltimore Gas and Electric to fully be able to protect itself. There's some things they should be doing. Of course, there's best practices. There's probably a lot of technology they should be applying to protect and defend. But a company like Baltimore Gas and Electric, I need to be survivable, not necessarily cybersecure.

Christopher Cleary

Let's talk about this notion of full spectrum cyber and this idea that offensive cyber expertise informs defensive cyber strategies. Can you unpack that for us?

Dave Bittner

Everybody says that offense has the advantage, right? You know, I have to be right once. The defender has to be right all the time. And you're always going to find some kind of little hole. You know, offense is intent. I think when we really start talking about what could be happening in the future, we're really talking about the difference between like our tool and a weapon, right? If. If I'm on your system because I want to break it, it's not the same. Because I'm on your system because I want to steal the information. Now, stealing the information mostly we see through intellectual property or just good old intelligence collection. But when we start talking about offense informs defense, I think we are pretty mature as a community. Whether it's people in uniform or people out of uniform, there's lots of people that have demonstrated proficiency, whether it's companies or organizations or communities to do those things. What you find is most cyber is in the mind. It's the person that knows how to sort of operate in and through an environment, leveraging whatever technology they have access to. There's a lot of things that script kiddies can use now. So there are tools that make it easier, but your real professionals are the ones that still live in the command line and know how to operate on demand or operate on the fly. The trick is, when you look at equipping, let's say cyber forces in the DoD is how do I begin to present capability in such a way that the lowest common denominator cyber operator can be presented something and still have the ability to be effective in the area that you've asked them to Be I think you see variances in capability when you look at the cyber community, whether people in uniform, out of uniform or working with industry building offense and defense capability to support all the above.

Christopher Cleary

So in your estimation, what is the role that that industry plays here, helping government agencies improve their cyber posture?

Dave Bittner

I guess it's kind of mission dependent. Right. So I'm going to speak for Mantec specifically. We are a national security company, so when we look at the things that we do, we're principally supporting the Department of Defense or the intelligence community. So the things that we're looking to provide are things that you wouldn't necessarily go to Microsoft or Google or Amazon to get. We're supporting very specific missions, which means we're making capabilities that you're not going to find out there on the public market to put not a too fine point on it. You know, non kinetic capabilities designed to deny, degrade, destroy, disrupt or collect intelligence, you know, or support the survivability of things that we need to go beyond cybersecurity and move into cyber survivability. Like there's lots of companies that are going to do the basic cybersecurity stuff just better than us, but we're going to acknowledge that there's people that make really, really good products. When you start moving beyond traditional cybersecurity and moving into cyber survivability and survivor strike or dominance or delivering effects in the community, it's more than a slightly different skill set, but it's also a different intention and where you want to invest resources to enable support DoD specific missions, which again there's a smaller market for us. Operational technology needs to be survivable and our military branches need to be able to deliver effects in this domain that put the hurt on adversary systems, whether it be in weapon systems or infrastructure that goes to support that. I'm not going to go so far as to say critical infrastructure like civilian water and power, but certainly infrastructure in place used to support those systems or the things we're going to be thinking about building capability for.

Christopher Cleary

So you're collaborating with the government on the horizon of the possible.

Dave Bittner

What makes this world so interesting is the cyber game. The book has not been written yet. If I looked at air warfare or we've seen Top Gun and we've seen Hunt for October, those communities have been around for a long, long time. I think what's interesting in this space is, you know, new fresh talent could be as relevant, if not more relevant on day one because of, you know, the idea of them being digital natives. You know, a lot of the senior military people are arguably still struggling with what this thing called cyber is. When you know, the new cadre of digital natives graduating school who know Twitter and X and you know all, I can't even keep up with my own kids. You know, apps, I wish I and I do this for a living, right? They're just more comfortable in this environment. And I think those are the ones that are really going to turn this domain into what it's destined to be. So when I talk to a lot of new people coming into the world, one of my sayings I would go to them is, look, I know I don't know what you know and I know I know that. My point is I know and I'm just gonna push the believe button that I'm probably never even gonna understand what you're trying to tell me. Even though I don't understand it doesn't mean I'm not gonna approve it or endorse it or support it or champion it, because I believe you are the future, even if I can't understand the ones and zeros of how you're getting there. The irony is a lot of the debates we're having as a military over these new technologies. If you started reading books of the late 1800s, early 1900s, talking about the submarine or the airplane, all these debates are exactly the same. We had all of these debates 100 and some odd years ago. And the irony is 100 years later, we're having them again. We just insert cyber for submarine and AI for airplane. They're all the same.

Christopher Cleary

Well, Chris, thank you so much for taking the time for us today and sharing your expertise.

Dave Bittner

Yeah, thank you so much. I really enjoyed being here.

Christopher Cleary

That's Christopher Cleary, VP of Global Cyber Practice at Mantech. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit or but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks. With attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk. With Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more. Spectrops see your attack paths the way adversaries do. And finally, Coinbase is offering a 20 million dollar bounty. But not for lost treasure. The crypto giant is hunting the modern day pirate who tried to extort the company using stolen customer data. The would be blackmailer emailed Coinbase demanding $20 million or else they'd leak user info. Coinbase's response? A firm no, followed by a blog post worthy of a cyber thriller. According to Coinbase, the breach stemmed from a small group of overseas customer support agents, reportedly in India, who were persuaded by cash offers to leak data affecting fewer than 100,000 users. The company fired the insiders and is now prepping for remediation costs between $180 million and $400 million because apparently loose lips really do sink crypto ships. While no funds or login credentials were stolen, customer info like emails, masked Social Security numbers and transaction histories were. Coinbase urges users to beware of imposters and phishing scams or promising reimbursement to any victims duped by the fallout. The moral of the story if you plan to extort a crypto giant, don't forget that karma is also decentralized. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Max Gannon from Cofence Intelligence. The research is titled the Rise of Precision Validated Credential Theft A New Challenge for Defenders. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. Were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Worried about cyber Attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care cyberwire.